nullstream weblog - Vista Virtualization Limitations

Rant

June 20, 2007 04:00 PM PST

About three months ago I wrote a blog entry to express my frustration with MS's attempts to limit Vista virtualization via the EULA to only the most expensive skus. I calmed down however and decided not to post it.

Recently MS decided to relent to user outcry and reverse their EULA restrictions. They had a press release preloaded and ready to launch, but then at the last minute they changed their mind. Well I changed my mind also. Here is my original post. Beware there be dragons.

Disclaimer: This post is a rant pure simple. It
is also likely to get a little technical in spots. It expresses just the tip of
the iceberg of frustration I feel toward Microsoft lately. Or more specifically
with their business and marketing leadership. This post shouldnot be read byanyone.

In a olderpost
I ranted on how lame I thought it was that a company (specifically Apple) would
try to make virtualizing their OS illegal. This lead me to the discovery that
Microsoft is attempting to do the same thing with versions of Vista. (See
comments in the above mentioned post.) Well the restrictions mentioned in the
Vista EULA are just the first crumbs on a trail that leads to lies, frustration,
and stupidity- oh yeah, and more lies.

Vista Ultimate: Virtualization allowed, but you are not allowed to access DRM
protected content or use bitkeeper encryption. Microsoft states: "We advise
against playing or access content protected by...".

Why would they want to limit your ability to us the cheaper versions under VM?
The obvious answer is that they are trying to force users to pay spend more
money and buy Ultimate. Another possible reason is to punish Apple defectors who want to run the cheaper versions of Vista under Parallels to save money. Yes of course both of these are true, but it is not the whole story. Is there a
technical reason not to run those versions under VM? Well no. Will it work if
you try? Well maybe. If you run it under VMWare or Parallels or older Virtual PC
yes. But there is an unconfirmed rumor that if you try it under VPC 2007 it won't let you violate the Vista EULA. (Read the comments in that post. I have not verified this personally but I wouldn't be surprised if it were true.)What about Ultimate? If you run it under VM will the DRM and Bitkeeper
stuff work? Most likely Yes. Then why don't they legally allow you to do it?
Before I tell you why, lets find out what MS is saying about this publicly:

According to this article
Microsoft is basically saying that they don't let you do it for your own safety.
Basically they claim that running their OS under virtualization opens up
security holes, so they just want to protect you. Wait, I thought that running
and OS under virtualization actually gave you a protected sandbox for that OS
effectively making it more
safe not less. To back up their claim they reference a potential VM security
hole discovered last summer by researcherJoanna Rutkowska.

So what to make of it? It's for our own safety? Nope, all lies. If you do a
little digging on Joanna's research you'll find that while the concept was
prototyped on Vista, it really isn't limited to Vista. It could affect any OS.
Oh and it wasn't even that it it affected Vista only when running under VM. In
fact her tests were done on a Vista that was NOT under VM. Her main argument is against the new hardwarevirtualization features being added to modern processors. Specifically
AMD's SVM/Pacifica. She even states that it probably applies to Intel's new
chips as well. let me repeat the important part; it is a hardware security hole
made possible by new virtualization features in the CPU. This can affect Vista
in or out of VM. It can affect XP in or out of VM. It can affect.. well you get
the point. Microsoft basically references a study that includes the words
'virtualization' and 'security hole' to back up their argument. Again, it is
total crap.

So besides money, what else is the motivation? Well the EULA basically spells it
all out. We will allow you to run Vista (ultimate) under VM as long as you don't
use DRM or encryption. That's it. MS, at the request of RIAA and MPAA, spent
oodles of time, money, and hundreds of thousands of lines of code to make
Vista's DRM the most secure ever. In fact secure content runs in a specialprotected process (aka protected environment 'PE' or protected media path) that 1.
Won't allow the content to execute unless the entire software stack from file to
hardware is signed, secure and authorized. And 2. The OS will not allow any other process to mess with a protected process. This means no debugging, peaking of memory etc. But you know what? It is all for nothing if you run it under VM. Once under VM someone can peak around with the internal memory from outside the protected box. A few days in the right hackers hands and presto, yet another DRM defeated. So yes it is a security risk, but to the content owners, not to the users!

So is all this EULA nonsense just a knee jerk reaction to discovering an
embarrassing Vista flaw at the last minute? No they didn't just discover it. It
has been a known limitation for years. In fact they knew about it before they
built it. The content providers knew about it also. Then why the heck did they
even bother? That the part that bothers me the most, its not that they lie about
it. It's not that they are trying to poorly close the hole with legal mumbo
jumbo, veiled threats and half hearted license 'detection' schemes. It's that
they did it in the first place. They knew full well that this thing would be
easily defeated and spent all the resources to do it anyway. They wasted
resources that could have been put to better use, just to stroke the content
providers. They bloated the create process code path and hobbled internal OS
features to the detriment of all applications - for nothing. What a waste.

I think the article's main point on DRM use misses the point, but I agree that the EULA would have no effect on someone determined to crack DRM or copy protection anyway.

Their point on OEM pricing seems to make sense at first glance, but I don't see how limiting VM use on a Mac solves anything. Apple could still sell Windows pre-loaded into a boot camp partition for the OEM price. Reboot or no reboot, it still means you can 'do more' with a Mac.

If MS were serious about keeping Windows off of Macs, why not change the license to say you are not allowed to run it on a Mac? After all, Apple's license says you are not allowed to run OSX on anything BUT a Mac.

I wouldn't be surprised however, if MS aimed their lawyers at the VM makers to force them to "detect and deny" the restricted versions of Windows.

I think the real result of this nonsense will be that instead of Mac user's coughing up the cash for Vista Ultimate, they will just continue to buy XP.